What is the best method to get rid of a pattern in multiple php files? [on hold]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
0
down vote
favorite
Working on infected website with hundreds of php files with the following injected signature code in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.
I composed the following code to get rid of the injected code:
grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'
which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.
What would be the best method to get rid of exactly the following part injected in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
sed php xargs
asked 2 days ago
Nick
31
put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |Â
up vote
0
down vote
favorite
Working on infected website with hundreds of php files with the following injected signature code in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.
I composed the following code to get rid of the injected code:
grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'
which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.
What would be the best method to get rid of exactly the following part injected in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
sed php xargs
asked 2 days ago
Nick
31
put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
1
Please provide your expected output. Are you trying to remove just the first<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use.*in your regex?)
– Sparhawk
2 days ago
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Working on infected website with hundreds of php files with the following injected signature code in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.
I composed the following code to get rid of the injected code:
grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'
which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.
What would be the best method to get rid of exactly the following part injected in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
sed php xargs
asked 2 days ago
Nick
31
Working on infected website with hundreds of php files with the following injected signature code in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
followed by adjacent <?php part which has legitimate php code. In other words, the injected code is not on a separate line.
I composed the following code to get rid of the injected code:
grep -Rl 457563643457563643 . | xargs sed -i 's/<[?]php.*457563643457563643.*[?]>/<?php // RECOVERED FILE ?>/g'
which works fine, but unfortunately it also deletes the legitimate php tag that comes just after the injected code.
What would be the best method to get rid of exactly the following part injected in the top of each file:
<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>
sed php xargs
asked 2 days ago
Nick
31
asked 2 days ago
Nick
31
asked 2 days ago
Nick
31
asked 2 days ago
Nick
31
31
put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
put on hold as unclear what you're asking by Thomas Dickey, Sparhawk, Jeff Schaller, G-Man, Thomas yesterday
Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.
1
Please provide your expected output. Are you trying to remove just the first<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use.*in your regex?)
– Sparhawk
2 days ago
add a comment |Â
1
Please provide your expected output. Are you trying to remove just the first<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use.*in your regex?)
– Sparhawk
2 days ago
1
1
Please provide your expected output. Are you trying to remove just the first
<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)– Sparhawk
2 days ago
Please provide your expected output. Are you trying to remove just the first
<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use .* in your regex?)– Sparhawk
2 days ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.
Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:
sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'
This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.
I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.
You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.
Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.
See also: How do I deal with a compromised server?
answered 2 days ago
Michael Homer
42.1k6107146
Thanks for the suggestions. Thegrep -Rl 457563643457563643 .commands is just fine to get list of infected files. However, running thegrep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'didn't have any effect.
– Nick
2 days ago
After trying different ways this one finally worked:grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!'Still I accept your answer, thanks!
– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.
Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:
sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'
This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.
I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.
You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.
Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.
See also: How do I deal with a compromised server?
answered 2 days ago
Michael Homer
42.1k6107146
Thanks for the suggestions. Thegrep -Rl 457563643457563643 .commands is just fine to get list of infected files. However, running thegrep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'didn't have any effect.
– Nick
2 days ago
After trying different ways this one finally worked:grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!'Still I accept your answer, thanks!
– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
add a comment |Â
up vote
2
down vote
accepted
The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.
Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:
sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'
This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.
I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.
You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.
Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.
See also: How do I deal with a compromised server?
answered 2 days ago
Michael Homer
42.1k6107146
Thanks for the suggestions. Thegrep -Rl 457563643457563643 .commands is just fine to get list of infected files. However, running thegrep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'didn't have any effect.
– Nick
2 days ago
After trying different ways this one finally worked:grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!'Still I accept your answer, thanks!
– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.
Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:
sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'
This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.
I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.
You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.
Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.
See also: How do I deal with a compromised server?
answered 2 days ago
Michael Homer
42.1k6107146
The best method is to go to one of your backups from before the intrusion and start from there. It sounds like you want a non-best way. You can use sed to do that.
Using sed, the most straightforward way to remove an exact block of text on a single line is just to use the s command to remove it explicitly:
sed -e 's!<?php /*457563643457563643*/ ?><?php /*5467543654675436*/ ?><?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'
This just replaces the exact string you quoted with nothing – it's necessary to escape * metacharacter each time, but otherwise this is directly using s!pattern!replacement! in the usual manner.
I would use find -exec (better, -execdir if you've got it) instead of piping xargs, especially if I had a directory tree I couldn't trust. There could be filenames with all sorts of things in them, notably newlines, that might lead to executing commands you don't like. For this particular sed command line it's unlikely to be an actual problem, but I wouldn't count it out.
You can run the grep inside the find command and only act on the file if it matches, or just let sed handle it anyway - if the pattern doesn't match the file will be the same afterwards anyway.
Regardless, I'd still advise caution – these markers aren't the harmful part of things and the bits that are may not be so obvious.
See also: How do I deal with a compromised server?
answered 2 days ago
Michael Homer
42.1k6107146
edited yesterday
answered 2 days ago
Michael Homer
42.1k6107146
answered 2 days ago
Michael Homer
42.1k6107146
answered 2 days ago
Michael Homer
42.1k6107146
42.1k6107146
Thanks for the suggestions. Thegrep -Rl 457563643457563643 .commands is just fine to get list of infected files. However, running thegrep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'didn't have any effect.
– Nick
2 days ago
After trying different ways this one finally worked:grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!'Still I accept your answer, thanks!
– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
add a comment |Â
Thanks for the suggestions. Thegrep -Rl 457563643457563643 .commands is just fine to get list of infected files. However, running thegrep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!'didn't have any effect.
– Nick
2 days ago
After trying different ways this one finally worked:grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!'Still I accept your answer, thanks!
– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
Thanks for the suggestions. The
grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.– Nick
2 days ago
Thanks for the suggestions. The
grep -Rl 457563643457563643 . commands is just fine to get list of infected files. However, running the grep -Rl 457563643457563643 . | xargs sed -i 's!<?php /*457563643457563643*/ ?><?php /*546754365467543636*/ ?.<?php /*6745833567458335*/ ?><?php /*87934538793453*/ ?>!!' didn't have any effect.– Nick
2 days ago
After trying different ways this one finally worked:
grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!– Nick
2 days ago
After trying different ways this one finally worked:
grep -Rl 457563643457563643 . | xargs sed -i 's!<[?]php.*457563643457563643*.*[?]>!!' Still I accept your answer, thanks!– Nick
2 days ago
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
Unfortunately, the way I found strips extra tags that follow the injected pattern, so I am still in search for the right answer. The answer suggested simply does not work.
– Nick
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
It looks like there were a couple of digits repeated in the command originally, but they're gone now and it works for me.
– Michael Homer
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
So it works if you don't escape question marks as you initially suggested. Thanks a lot!
– Nick
yesterday
add a comment |Â
1
Please provide your expected output. Are you trying to remove just the first
<?php /*457563643457563643*/ ?>? Is this string always the same? (i.e. why use.*in your regex?)– Sparhawk
2 days ago